1 Answer
1

id_rsa.pub is the public key and need not be protected at all. In fact it needs to be published in order to work. I assume you're actually talking about id_rsa (the private key) in this question.

You certainly don't have to generate a new SSH key every time you're on a new computer or re-install your OS. You can copy that file from one computer to another. Or, if you're temporarily on a different computer where you don't want to store your key, you can log in remotely to the computer where the key is stored with ssh -A and load the key into your local agent with ssh-add. (You should only do this if you trust root on the computer you are temporarily using.)

You also should already have a passphrase on your SSH key (if you don't, add one right now, or better yet, consider the key compromised and replace it!), otherwise anyone who even briefly gets access to the computer where the key is stored will have access to it.

If copying the file manually from one computer to another is not convenient for you, you can store your SSH key in the cloud (github or otherwise). Personally, I would prefer not to.

I assume you mean to use a private github repository for this purpose. Although an SSH key with a passphrase should be useless to anyone without the passphrase, you should still keep the encrypted key to yourself, in case someone ever obtains your passphrase.

EDIT: More on sharing id_rsa

Even though id_rsa is unusable to anyone who does not possess the passphrase that goes with it, you should still not share it.

The SSH key can be considered sort of like a form of two-factor authentication. The id_rsa file is Something You Have. The passphrase is Something You Know. Only together are they useful. I say "sort of like" because you don't actually carry around the id_rsa file with you as you would with the Something You Have component of a real 2-factor authentication system.

Not sharing the id_rsa file provides some protection in case your passphrase is revealed to someone else. If that happens, you should definitely revoke the key, but at least there is a chance that an attacker can't do anything if they can't get a copy of id_rsa.